Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.

To briefly recap, two of Johnson & Bell’s former clients claimed in their complaint that the firm had lax data security practices that put confidential client information at risk of exposure. (Note that the plaintiffs did not claim that any actual breach had occurred, an omission which presents a significant question of standing under Article III, an issue this blog has recently covered.)

The retainer agreement between the firm and its former clients included an arbitration clause, which stated in pertinent part: “In the unlikely event of any dispute under this agreement, including a dispute regarding the amount of fees or the quality of our services, such dispute shall be determined through binding arbitration.” Based on that clause, Johnson & Bell filed a motion to require the plaintiffs to arbitrate their dispute on an individual, rather than class, basis. The firm argued that because the arbitration clause did not explicitly state that arbitration may be on a class basis, the only permissible arbitration was on an individual basis. The court agreed.

With the plaintiffs barred from class arbitration, as well as from pursuing their claims as a class action in federal court, their case suffered a serious setback. Indeed, their attorney, Jay Edelson of Edelson PC, told an interviewer that he was “obviously appealing” the court’s arbitration decision.

We will continue to monitor the case, as well as any similar cases that may be filed. As we noted in our last post, Edelson has stated that he intended to sue a number of other law firms with data security vulnerabilities. Furthermore, now that his first complaint is public, others are likely to follow suit, and we will follow such developments closely.